This simplifies the loading and cleanup logic, while providing ubiquitous support across JS frameworks. Buttons can now be added in any way imaginable and still work without requiring additional initialization. The upside of this aproach is that it doesn't require a mutation observer nor a global click listener, and is supported by all browsers that also support passkeys.
- Fix indentation
- Split awkward initializer into separate methods
- Rename credentials to passkeys
- Simplify authenticator registry loading
- Flatten nested errors under ActionPack::WebAuthn
- Set passkey current params only requests that use it
- Inline anemic methods
- Replace custom validation with ActiveModel::Validation
- Rename identity to holder in Passkey
- Rename credentials to passkeys in JS
- Extract framework library out of controllers
- Pass params hashes down to ActionPack
- Attempt to simplify public interface
- Push data decoding down to the classes representing the data
- Introduce has_passkeys
- Add CBOR bigint support
- Rename ActionPack::WebAuthn::Passkey to ActionPack::Passkey
- Add create_passkey_button helper
- Rename public-key to creation-options
- Add sign_in_with_passkey_button helper
- Dispatch events for the whole Passkey lifecycle
- Add ED25519 support
- Prevent crash on missing meta tag
- Validate resident key options
- Don't clobber existing ActionPack config options
- Validate cryptographic params
- Move CurrentWebAuthnRequest into ActionPack::Passkey
- Use ActiveModel::Attributes for Options objects
- Implement expiring challanges
- Add lifecycle events
- Extract param helpers into Request
- Add passkey_creation_options and passkey_request_options helpers
- Add create_passkey_challenge to make it easier to override the create method if needed
- Prefix all view helpers with passkey_
- Auto-include ActionPack::Passkey::Holder
- Make the passkey challange url configurable
- Add a reminder about Passkeys to the magic link email
Rename logout controller to clear-offline-cache and attach it to the
magic link verification form so the service worker cache is cleared
when a different user signs in.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds a logout Stimulus controller that sends a message to the service
worker to clear all cached content when the user logs out. This ensures
that cached data from one user isn't accessible after logout.
The implementation:
- Adds logout_controller.js that posts { action: "clearCache" } to the
service worker via postMessage
- Updates logout buttons to use the controller on form submission
Also fixes data-turbo placement: moved from button to form element where
it actually takes effect for disabling Turbo Drive form submissions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* Add JSON response format to void-response controller actions
Add respond_to blocks with JSON format to 14 controllers that
previously only rendered HTML or Turbo Stream responses. JSON
callers get head :no_content (or :created/:ok for push
subscriptions, distinguishing new vs existing).
Covers: board involvements, board/account entropies, column
reordering, card readings, card publishing, user roles, user
avatars, account settings, notification settings, join codes
(with 422 error branch), and push subscriptions.
* Add steps index endpoint with JSON view
Add index action to Cards::StepsController so SDK/CLI callers
can list all steps for a card. Reuses the existing _step.json
partial.
* Add JSON views for paginated card list endpoints
Add show.json.jbuilder for stream, not-now, and closed column
endpoints. No controller changes needed — set_page_and_extract_
portion_from and fresh_when already work format-agnostically.
* Add JSON search endpoint with distinct-card pagination
JSON search paginates distinct Card records (via the existing
Card.mentioning scope with .distinct) rather than Search::Record
objects. This ensures page boundaries, Link headers, and counts
reflect unique cards — no short pages from post-pagination dedup.
ID-match searches return a uniform single-element Card[] array
through the same pagination path.
* Add JSON views for settings and configuration endpoints
Add show.json.jbuilder for account settings (name), join codes
(code, usage_count, usage_limit, url, active), and notification
settings (bundle_email_frequency). Tests for show and update
were added in the void-response commit.
* Add JSON response format to data exports
Create returns 201 with export id, status, and created_at so
callers can poll. Show returns any-status exports for JSON (not
just completed) with a download_url when ready, or 404 for
missing/other-user exports.
* Extend access token JSON API
Add index.json and _access_token.json partial for listing tokens.
Add JSON format to destroy. Include id and created_at in the
create response alongside the existing token/description/permission
fields.
* Fix ambiguous precedence warning in export JSON view
* Assert X-Total-Count pagination header in streams JSON test
* Address review feedback
- Guard steps index against HTML requests (redirect to card)
- Normalize created_at to UTC in access token and export JSON
- Add deterministic ordering (.latest) to search JSON pagination
* Return 406 for HTML requests to steps index instead of redirect
* Add wrap_parameters for flat SDK JSON payload compatibility
Five controllers infer the wrong wrapper key from their class
name, so flat JSON bodies like {"role":"admin"} fail with 400.
Add explicit wrap_parameters declarations:
- Users::RolesController → :user
- Notifications::SettingsController → :user_settings
- Account::JoinCodesController → :account_join_code
- Account::SettingsController → :account
- Boards::EntropiesController → :board
Add integration tests that send flat (unwrapped) JSON payloads
for all seven param-bearing endpoints to prove SDK compatibility.
* Address PR review feedback
- Use 201 Created (not 204) for all create actions: publishes, readings,
left/right positions, push subscriptions
- Simplify push subscription to always return :created (no 200/201 variance)
- Remove superfluous respond_to block from steps#index
- Merge exports#show into single respond_to block
- Move export download_url conditional out of inline args
- Ensure join code active is explicitly boolean
- Remove extra parens from search controller assignment
- Add blank lines between format blocks for readability
* Return JSON bodies on create actions
Create actions for boards, cards, columns, comments, and steps now
render the resource as JSON (via their show views) instead of returning
empty 201 responses with only a Location header. SDKs expect a JSON
body they can deserialize into the created resource.
* Return JSON bodies on reaction create actions
Card and comment reaction creates now render the reaction as JSON
instead of returning empty 201 responses, consistent with the other
resource-creating endpoints.
* Allow access tokens API without account scope
Access tokens are identity-level (not account-scoped), so the
controller needs to work with bearer token auth and no account slug
in the URL. Skip require_account so the bearer token auth path
can proceed.
Also fix involvement test to send params in JSON body (not query
string) to match real SDK usage.
Include identity.id in the my/identity.json response and return an
empty body from the CREATE signup/completions.json endpoint.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* main: (127 commits)
Align board name start so it doesn't get too big
Clean up card/events header layout
Sync email to Stripe when user changes email address (#2432)
Fix IDOR in webhook activation endpoint (#2431)
Add card reactions to API docs and reactions_url to card JSON (#2427)
Remove unnecessary claude plan
Allow boosts on cards (#2411)
Revert "Fix notification click URL by using correct data property"
Add migration to remove draft cards from search index
Guard search indexing with searchable? check
Forbid comments on draft cards
prefactor: update search to use published cards
Fix notification click URL by using correct data property
Wait for service worker to be active before subscribing
Fix stuck state when permission granted but no subscription
Extract Card::Commentable
Include arm64 build in Docker workflow
Remove unnecessary `await` in push handler
Correctly initialise WebPush connection (#2417)
Update models, views, and fixtures for polymorphic reactions
...
* main:
Add rollback script to convert relative URLs back to absolute
Add a script to migrate existing rich texts to relative URLs
Use relative URLs where possible across all the app
Use relative URLs for avatars and rich text attachments
Skipping API responses, where we need absolute URLs, and those that are
intended for sharing or external use:
- account/join_codes/show.html.erb - Join code URL for sharing
- boards/edit/_publication.html.erb - Publication URL for sharing
- public/* views - Public page URLs and og:url meta tags
- pwa/manifest.json.erb - PWA manifest needs absolute URLs
For this, we had to replace `url_for` used with Active Storage variants
and previews with the specific path helper (for Active Storage
representations).
* main: (22 commits)
Disable card column buttons when active
Prevent comment content from overlapping with reaction button
Delete pins belonging to cards in a board with revoked access
Update development dependencies in SAAS lockfile
Update runtime dependencies
Update development dependencies
Balance magic link instructions
Add `.txt-balance` utility
Move handleDesktop inside restoreColumnsDisablingTransitions
Adjust border radius
Clean up blank slates
Add dialog manager to events page
More sturated mini bubbles in light mode
Brighten mini bubbles in dark mode
Use separate cache namespaces for each beta instance
Bump boost size up a tick on mobile
Move Undo form inside closure message element
Phrasing tweak for exceeding storage limit
Keep strong tags words on same line
Allow ActionText embed reuse and safe purge (#2346)
...
* main:
Consolidate footer text into a shared partial
Tweak comment history button on mobile
Transparent lexxy toolbar when inside a golden card
Add rel noopener to external links
* main: (107 commits)
Document the new sign in method
Replace handle_ naming
Use same constant for fake magic links
Replace FakeMagicLink with a temporary object
Tidy up session_token
Clean up interfaces
Split tests by controller or responsibility
Simplify auth logic
Fix due to unit test when creating with invalid emails
Restore sessions_controller test on creating invalid email address
Move magic link api tests to their own files
Rename test to clarify what they're about
Cleanup session creation
Update to always return a pending auth token for JSON responses.
Update API test for cross code
Change test expectation on single tenant mode account creation
Add unit tests for the new endpoints
Pass a server token when creating a magic link via API
Simplify code a bit
Simplify session create logic for both html and json
...
Add account data to fresh_when etag arrays so Rails serves fresh responses after account changes.
- Add @accounts to menus controller etag
- Add Current.account to boards controller etag
- Add ETag cache invalidation tests for both controllers
This allows us to have different cache controls depending on whether
you're viewing your own avatar, or someone else's. Your own avatar will
always be fresh, while other folks' avatars can be pulled from the CDN.